In a U.S. Securities and Exchange Commission 8-K disclosure filing on Thursday, Oct. 5, MGM Resorts reported losing around $100 million after a September 11 breach incident.
In an open letter published last Thursday evening, MGM CEO Bill Hornbuckle said that "the vast majority of our systems have been restored," adding, "We also believe that this attack is contained."
"As part of our remediation efforts, we have rebuilt, restored, and further strengthened portions of our IT environment," Hornbuckle said. "We will offer free identity protection and credit monitoring services to individuals who receive an email from us indicating that their information was impacted."
Jose Seara, founder and CEO of DeNexus, Inc., said in an Oct. 7 LinkedIn post that these types of disclosures will become more common under the new SEC rules and offered these highlights:
- MGM responded swiftly and shut down its systems to mitigate risk to customer information.
- $100M impact to EBITDAR (non-GAAP metrics are getting interesting)
- $10M in one-time fees, including technology consulting (too late?), legal, and advisory fees
- Customers data compromised, including name, contact information, gender, date of birth and driver's license number. For a limited number of customers, Social Security numbers and passport numbers were also obtained by the criminal actors.
- MGM does not believe that customer passwords, bank account numbers, or payment card information were obtained by the criminal actors.
- MGM currently believes that its cybersecurity insurance will be sufficient to cover the financial impact to its business as a result of the operational disruptions, the one-time expenses, and future expenses.
- BUT the full scope of the costs and related impacts of this issue has not been determined.
See full details of the breach from our original article on Sep. 12 below.
~~~
MGM Resorts International, a casino and hotel chain, announced that it had suffered a cybersecurity breach on Monday, September 11. The incident affected some of the company's online systems, including its website, payment processing systems, and digital room keys. As a result of the breach, some customers were unable to make reservations, use their credit cards, or access their hotel rooms.
MGM Resorts said that it had taken steps to secure its systems and data, including shutting down certain systems. The company also said that it was working with law enforcement and external cybersecurity experts to investigate the incident.
The breach is the second major cybersecurity incident to hit MGM Resorts in recent years. In 2019, the company was the victim of a data breach that exposed the personal information of about 142 million guests.
[RELATED: Celebrity A-Listers, Millions of Guests Have Data Stolen in MGM Resorts Breach]
Here are some additional details about the breach:
- The breach affected systems at MGM properties in Las Vegas, Mississippi, and Maryland.
- The company said that it was not aware of any unauthorized access to guest financial information.
- MGM is offering free credit monitoring and identity protection services to affected guests.
The FBI is investigating the breach.
Here are some comments from cybersecurity vendor experts about the incident.
Callie Guenther, Cyber Threat Research Senior Manager at Critical Start:
"The nature of the widespread outages and disruptions aligns most closely with a ransomware attack. The breadth of affected systems and services suggests a concerted effort to disrupt operations, which is consistent with ransomware tactics. While less likely, we cannot rule out a DDoS attack given the sheer volume of outages. However, the internal system disruptions do hint towards something more invasive. An Advanced Persistent Threat (APT) targeted attack is another possibility. Large corporations, especially those involved in sectors like hospitality and gambling, can also be targets for APTs. These are sophisticated, prolonged cyber-espionage campaigns often sponsored by nation-states. The aim is to maintain long-term access to the victim's network, often for intelligence gathering. But the immediate and broad impact seems to lean more towards a ransomware-style disruption.
Casinos, given their high financial turnover, are prime targets for cybercriminals seeking financial data such as credit card information. Personal information is another lucrative target, as evidenced by MGM's previous breach in 2019. Disrupting operational infrastructure can also cause direct financial losses and tarnish the reputation of the establishment. Due to the significant daily turnovers, attackers may assume that casinos are likely to pay a ransom swiftly to resume operations.
The data provided does not yield indicators pointing to a specific threat actor or group. Attribution is an intricate process requiring in-depth forensic analysis, familiarity with particular malware signatures, and often geopolitical knowledge. At this stage, without specific details or a claim of responsibility, any attribution would be speculative."
Joseph Carson, Chief Security Scientist and Advisory CISO at Delinea:
"The MGM Resorts IT and security teams are going through security professionals' worst fears and nightmares right now, which all security professionals can empathize with. When cybersecurity incidents occur, they can have a major impact to the business and customers, especially when we are so dependent on technology for payments, communications, digital and physical access, and running critical systems. When systems are down, the business can come to a full stop. In this case, it completely turns off the tap of a major revenue stream that relies on availability and access. I have seen many serious incidents in the past and can only hope that MGM Resorts have a solid incident response plan, have practiced and simulated it, and are prepared and ready to handle this incident. Cybersecurity is a strong community, and we should always be supportive during such serious situations."
Zane Bond, Head of Product at Keeper Security:
"This devastating cyberattack against MGM Resorts International highlights both the high value and extreme vulnerability of the broader hotel and casino industry. As with other industries, casinos and hotels collect a wide range of sensitive information about their guests, from credit card information to PII, all while transacting enormous sums of money. However, with this industry specifically, the intellectual property that underpins casino operations provides an additional unique and extremely valuable target for cybercriminals. Think of all of the software that runs modern gaming systems, like slot machines. Casinos aren't just gaming companies anymore; they're software developers, and these systems are some of the most advanced and connected in the world. The technology in gambling is astounding.
When a large and interconnected system like this is affected by a serious cyber incident, the first step is to stop the attackers and minimize the blast radius. This is done by pulling the affected systems offline, and in this case, either through a direct attack or an abundance of caution, all slot machines on all casino floors in Las Vegas and Atlantic City have been taken offline. The seriousness of this very public decision to take a primary revenue stream offline cannot be understated.
Based on history, the majority of successful casino attacks have happened through insider threats. These types of threats can be mitigated with a variety of cybersecurity measures, including privileged access management which protects privileged accounts, reduces lateral movement within networks, and provides event logging to track the source of unusual activity. With so many of MGM's systems taken offline, we don't yet know what type of cyberattack this was or how it occurred, but we do know simply from the response that it was massive and critical in nature. This is not a single slot machine infected with a virus, which can be rebooted and re-imaged to resolve the issue in a matter of minutes. The fact that this affected casinos in multiple cities indicates this is a significant breach that may have come from an insider threat or a worm that has spread wildly."
Piyush Pandey, CEO at Pathlock:
"According to early reports, the classic targets of money and data seem to be at play here. The lateral movement the attackers have gained has appeared to give them a wide span of control over interconnected systems—ATM and slot machines, electronic room keys, rewards programs, etc. The reports of the rewards program being affected is noteworthy, as that would house a trove of personally identifiable information (PII).
Given the wide range of systems affected, it's possible that a user account in a core application or system was compromised, that allowed for the lateral movement we're seeing. This is a risk with over-entitled roles in critical business applications such as ERP, finance, and HR.
So, what can organizations like casinos do to avoid this type of attack? Coordination between access governance and cybersecurity. Having a strong access governance program—the continual testing and enforcement of application controls—significantly reduces the amount of role attack surface in those applications. Cybersecurity teams also need the ability to detect threats and compromised accounts in real-time, limiting the amount of lateral movement and data exfiltration."
Update (9/14/23):
On September 13, Bloomberg reported that Caesar's Palace had been hacked by a group called Scattered Spider. The hackers reportedly gained access to the company's network in late August and threatened to release stolen data if a ransom was not paid. Caesar's Palace has not publicly confirmed the breach, but it did disclose in a regulatory filing on September 14 that it had been the victim of a "cybersecurity incident."
The full extent of the breach is not yet known, but it is believed that the hackers may have stolen sensitive data on Caesar's Palace customers and employees, including names, addresses, Social Security numbers, and credit card information.
Ramifications of Caesar's Palace breach
The Caesar's Palace cybersecurity breach could have a number of negative ramifications for the company, including:
- Financial losses: Caesar's Palace may be liable for damages to customers whose data was stolen in the breach. The company may also have to spend money on additional cybersecurity measures to prevent future breaches.
- Reputational damage: The Caesar's Palace cybersecurity breach could damage the company's reputation and make it more difficult to attract and retain customers.
- Regulatory scrutiny: The Caesar's Palace cybersecurity breach is likely to attract the attention of regulators, who could investigate the company's cybersecurity practices and impose fines or other penalties.
SEC filings
On September 14, Caesar's Palace filed a Form 8-K with the U.S. Securities and Exchange Commission (SEC) disclosing the cybersecurity incident. The filing stated that the company was "investigating a recent cybersecurity incident that involved unauthorized access to its computer systems." The filing also stated that the company was "working to assess the impact of the incident and to take steps to protect its customers and employees."
Callie Guenther of Critical Start offered this perspective:
"SEC filings are formal documents that publicly traded companies in the U.S. must submit to the Securities and Exchange Commission to maintain transparency with their investors and the public. In the situations involving MGM Resorts and Caesars Entertainment, these filings likely provide critical details about the data breaches they experienced. Such filings would outline the nature and magnitude of the breach, the potential financial implications, the company's response and mitigation efforts, and any prospective risks related to the incident. For example, Caesars Entertainment used an SEC filing to disclose a breach impacting its loyalty program members. These disclosures are essential as they help investors comprehend the potential risks and ramifications of such security incidents on the company's overall financial health and reputation."
Scattered Spider
Scattered Spider is a relatively new hacking group that was first identified in May 2022. The group is believed to be based in the United States and the United Kingdom. Scattered Spider is known for using social engineering attacks to gain access to corporate networks.
Guenther provides more background on the Scattered Spider group:
"Scattered Spider is a financially-driven threat actor that has been active since at least May 2022. Their primary focus has been on telecommunications and Business Process Outsourcing (BPO) entities. The group has displayed a sophisticated understanding of cyber vulnerabilities and techniques, which has enabled them to achieve their objectives with significant efficacy.
In one of their recent techniques, they've employed what's termed as a 'Bring Your Own Vulnerable Driver' (BYOVD) attack. This involves the deployment of a vulnerable kernel-mode driver, such as the Intel Ethernet diagnostics drivers, as a method to gain elevated privileges within Windows systems, thereby evading Endpoint Detection and Response (EDR) solutions. Since device drivers have direct kernel access, exploiting a flaw in them allows threat actors like Scattered Spider to execute code with the highest privileges in Windows.
Researchers have repeatedly observed these tactics soon after releasing their previous report on Scattered Spider. Scattered Spider has specifically attempted to bypass security products like Microsoft Defender for Endpoint, Palo Alto Networks Cortex XDR, and SentinelOne. An interesting aspect of their operation is the exploitation of an older vulnerability, CVE-2015-2291, within the Intel Ethernet diagnostics driver. While this vulnerability was fixed in 2015, Scattered Spider plants an older, still vulnerable version on breached devices, enabling them to exploit this flaw regardless of the system's updates.
Further compounding the threat is the way Scattered Spider manages to bypass Windows' security measures. They employ drivers signed by stolen certificates from legitimate entities like NVIDIA and Global Software LLC. The aim here is not just infection but also disabling endpoint security products, allowing for a more extended presence on compromised networks.
One of the striking characteristics of Scattered Spider is their narrow targeting scope. Yet, considering their techniques, no organization can afford to overlook the threat posed by BYOVD attacks. Other threat groups, such as the BlackByte ransomware gang and the North Korean hacking group Lazarus, have also been spotted leveraging BYOVD attacks.
This highlights a persistent challenge within the Windows operating system. While Microsoft attempted to mitigate this threat in 2021 by introducing a driver blocklist, it wasn't until the 2022 release of Windows 11 that more stringent measures were put in place. Still, the implementation remains less than comprehensive, with the driver block list updated only with major Windows releases. Microsoft's recommendation is for users to activate this blocklist to shield against BYOVD attacks.
Scattered Spider's tactics encompass a blend of credential phishing, social engineering, and overwhelming targets with multifactor authentication notifications. They demonstrate a preference for legitimate remote management tools, which aids in persistent access while minimizing the risk of detection. With the BYOVD technique, they've gone a step further by attempting to deploy a malicious kernel driver through an already known vulnerability.
It's evident that the group's techniques are evolving, as demonstrated by their campaigns against telecom and BPO organizations in December 2022. Their primary objective, it appears, is to gain access to mobile carrier networks. Their brazenness and persistence are evident, given that they quickly pivot to other targets within sectors even after containment efforts."
Relation to the MGM Resorts breach
On September 13, Reuters reported that Scattered Spider was also behind a cybersecurity breach at MGM Resorts International in August 2023. The MGM breach affected millions of customers and caused significant disruption to the company's operations.
The fact that Scattered Spider is behind both the Caesar's Palace and MGM breaches suggests that the group is a sophisticated and well-funded threat actor. It also suggests that the group is targeting the casino industry specifically.
Geoff Haydon, CEO at Ontinue, said:
"In recent years, the hospitality and gaming industry has embraced digital transformation, integrating interconnected technology and IoT devices to enhance customer experiences. The recent cyberattacks on MGM Resorts and Caesars Entertainment underscore the range of vulnerabilities inherent in this digital ecosystem.
Large technology estates, characterized by a web of interconnected devices, present a fertile ground for cybercriminals. The use of wireless networks and IoT devices, while enhancing operational efficiency, opens up multiple entry points for hackers. A successful breach can lead to a domino effect, crippling integral systems and disrupting services that are vital to the on-the-ground experience of customers. Ransomware attacks, in particular, can have devastating effects. They not only jeopardize sensitive data but can bring operations to a standstill, forcing businesses to face the grim choice between paying a ransom or facing prolonged downtime. The hospitality and gaming industry, where customer experience is paramount, cannot afford such disruptions.
The economic repercussions of a large-scale cyberattack on entities like these extend far beyond the company's boundaries. In a city like Las Vegas, where the economy is significantly buoyed by the gaming and hospitality sector, such incidents can have a ripple effect, affecting auxiliary businesses and dampening the tourist influx."
What to do if you're a Caesar's Palace customer
If you're a Caesar's Palace customer, it's important to be vigilant about protecting your data. Here are a few tips:
- Monitor your bank accounts and credit card statements for unauthorized activity.
- Change your passwords for all of your online accounts, including your Caesar's Palace account.
- Enable two-factor authentication on all of your online accounts.
- Be careful about clicking on links in emails and text messages.
- Keep your software up to date.
